Hartmut
805bb0464f
- docker-compose.yml: require ${POSTGRES_PASSWORD} for the postgres service
and the app container's DATABASE_URL. No default — compose refuses to start
without it, mirroring the existing PGADMIN_PASSWORD pattern.
- Dockerfile.prod: move auth/db ENV assignments from persistent ENV lines into
an inline env prefix on the `pnpm build` RUN step. Placeholders are still
available to `next build` but no longer persist in the builder layer or in
the published migrator image (which is FROM builder).
- Dockerfile.dev: add HEALTHCHECK against /api/health and install curl for it.
- .dockerignore: cover nested **/.env*, **/*.pem, **/*.key, **/secrets/**.
- runtime-env.ts: add the CI build placeholder strings to the disallowed-secret
set so a misconfigured prod deploy using the baked-in ARG defaults fails
startup instead of silently running with a known-bad secret.
- .env.example: document the new POSTGRES_PASSWORD requirement.
- CI: write POSTGRES_PASSWORD into the Fresh-Linux Docker Deploy job's .env
(must match docker-compose.ci.yml's hardcoded DATABASE_URL), and provide a
dummy value in the E2E job where compose validates all services' interp.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
72 lines
2.4 KiB
TypeScript
72 lines
2.4 KiB
TypeScript
import { describe, expect, it } from "vitest";
|
|
import { assertSecureRuntimeEnv, getRuntimeEnvViolations } from "./runtime-env";
|
|
|
|
describe("runtime env validation", () => {
|
|
it("allows non-production environments without auth runtime settings", () => {
|
|
expect(getRuntimeEnvViolations({ NODE_ENV: "development" })).toEqual([]);
|
|
});
|
|
|
|
it("accepts a valid production auth secret and https url", () => {
|
|
expect(
|
|
getRuntimeEnvViolations({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_SECRET: "super-long-random-secret",
|
|
NEXTAUTH_URL: "https://capakraken.example.com",
|
|
}),
|
|
).toEqual([]);
|
|
});
|
|
|
|
it("rejects a missing production auth secret", () => {
|
|
expect(
|
|
getRuntimeEnvViolations({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_URL: "https://capakraken.example.com",
|
|
}),
|
|
).toContain("AUTH_SECRET or NEXTAUTH_SECRET must be set in production.");
|
|
});
|
|
|
|
it("rejects the development placeholder auth secret in production", () => {
|
|
expect(
|
|
getRuntimeEnvViolations({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_SECRET: "dev-secret-change-in-production",
|
|
NEXTAUTH_URL: "https://capakraken.example.com",
|
|
}),
|
|
).toContain(
|
|
"AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.",
|
|
);
|
|
});
|
|
|
|
it("rejects the CI build-time placeholder that leaks from Dockerfile ARG default", () => {
|
|
expect(
|
|
getRuntimeEnvViolations({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_SECRET: "ci-build-placeholder-secret-minimum-32-chars",
|
|
NEXTAUTH_URL: "https://capakraken.example.com",
|
|
}),
|
|
).toContain(
|
|
"AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.",
|
|
);
|
|
});
|
|
|
|
it("rejects non-https auth urls in production", () => {
|
|
expect(
|
|
getRuntimeEnvViolations({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_SECRET: "super-long-random-secret",
|
|
NEXTAUTH_URL: "http://capakraken.example.com",
|
|
}),
|
|
).toContain("AUTH_URL or NEXTAUTH_URL must use https in production.");
|
|
});
|
|
|
|
it("throws with a combined startup error when production env is invalid", () => {
|
|
expect(() =>
|
|
assertSecureRuntimeEnv({
|
|
NODE_ENV: "production",
|
|
NEXTAUTH_SECRET: "dev-secret-change-in-production",
|
|
NEXTAUTH_URL: "not-a-url",
|
|
}),
|
|
).toThrow(/Invalid production runtime configuration/);
|
|
});
|
|
});
|